For a decade, “open finance” in America has been a handshake, not a law. Banks, aggregators, and apps have stitched together thousands of bilateral agreements that mostly work. In 2025, the détente is fraying. Major banks are moving to charge aggregators for API access, payments networks are pulling back from U.S. open finance bets, and federal rules meant to cement consumer data rights are being reopened and rewritten. The result is a simple question with trillion-dollar implications: who actually controls your financial data: you, your bank, or the platform you use?
The regulatory rug pull – and a second try
The Consumer Financial Protection Bureau (CFPB) finalized a Personal Financial Data Rights rule in October 2024, designed to give consumers clear, enforceable control to access and share their financial data across banks, cards, wallets, and apps, while nudging the market “away from screen scraping” and toward secure APIs and OAuth authorization flows.
Then the ground shifted. In late July 2025, the Bureau moved to replace the Biden-era framework and asked a court to pause litigation while it undertook an accelerated rewrite. In August, the CFPB issued an advance notice of proposed rulemaking to solicit new comments on scope, liability, and cost allocation, including whether banks can charge for data access and what constitutes “safe” standards. A leading law firm briefing notes that compliance dates under the 2024 rule don’t start until April 2026 and that the CFPB signaled non-enforcement while the redo is underway, with comment letters due in October 2025.
The Bureau’s own docket estimates that 100+ million U.S. consumers had used some form of consumer-authorized data sharing by 2024, underscoring how entrenched this ecosystem already is. Rewriting the rules won’t be a side show. It’s the main event.
Banks harden APIs, and start pricing open finance access
Against that uncertain backdrop, the largest banks have begun to monetize data pipes. In July, JPMorgan Chase notified aggregators it would charge for access to customer data, citing infrastructure and security costs; a Bloomberg summary sent stocks in the fintech complex lower and set off an industry debate over who pays for connectivity. PNC quickly said it was considering similar fees.
The ripple effects were immediate. Visa shuttered its U.S. open banking unit in August, telling media it would focus on Europe and Latin America where regulatory mandates create predictable access and economics; the U.S., by contrast, is now a negotiation market with rising friction.
Fintechs call this data gatekeeping: banks control the pipes, so they can meter traffic, set SLAs, and apply fees, even when the ultimate right supposedly rests with the consumer. Advocacy groups have urged the administration to uphold consumer data rights and ban data access fees, arguing they’re anti-competitive and erode portability.
“Open” is not the same as standardized
It’s tempting to blame policy turmoil alone, but the U.S. problem is structural. America’s “open banking” has been market-led, not regulator-mandated. The Financial Data Exchange (FDX) standard has made real progress – 94 million accounts were connected via the FDX API as of late 2024. Networks like Akoya pitch a “one-to-many” model for tokenized, API-only data sharing that eliminates scraping and centralizes consent management.
But FDX is voluntary, and Akoya is commercial infrastructure, not a universal utility. In practice, the U.S. is still a web of private contracts and varying bank policies, some with great latency and coverage, others brittle – plus residual scraping where APIs lag. Even where banks and aggregators have OAuth connections (e.g., Capital One–Plaid), the scope and refresh rules can differ by institution. “Open” is a patchwork.
Europe and the U.K. show a different path
Contrast that with the EU and U.K., where mandated access and central coordination have created more predictable plumbing. The EU’s next wave, PSD3/PSR and FiDA (open finance), seeks to fix PSD2’s weak spots and extend data portability beyond payments. In the U.K., the Open Banking Limited regime is evolving into a “Future Entity” with an FCA-blessed remit to set common standards, monitor API performance, and enforce adherence, precisely the centralized functions the U.S. lacks.
None of these models is perfect. EU adoption remains uneven, and the U.K. still struggles with the use of payments, but both jurisdictions have clear, enforceable rights and an entity responsible for ensuring the integrity of the system. That institutional clarity is what U.S. open finance lacks.
The economic fight underneath the policy fight
If consumers “own” their data (functionally, at least the right to port it), two thorny questions remain:
- Who pays for secure delivery? Banks argue that API hardening, traffic management, and monitoring impose real costs, and that the risk sits with them if something goes wrong. Hence fees. Fintechs counter that permissioned data is a consumer right and that paywalls will entrench incumbents. The JPMorgan move to price data access put the issue on a fast track.
- Who carries liability? The 2024 CFPB rule discouraged scraping and leaned on GLBA-grade safeguards but left plenty to sort out on liability and data minimization; the 2025 ANPR explicitly asks whether stronger, standardized protections are needed. Until liability is crisp, banks will price for risk and apps will push for “free” – a stalemate.
Control vs. portability: what “ownership” means in practice
There’s also a semantics problem. Consumers don’t “own” bank core systems. What they have (or should have) is a right to access and permission data in usable formats, with revocable consent, least-privilege scopes, and clear audit trails. That’s the spirit of Section 1033, and it’s what standards bodies like FDX and card-network developer programs are already trying to operationalize across account, card, and investments data. The policy question is whether those norms remain voluntary or become obligations with real teeth.
Three practical tests for the CFPB’s redo
If the U.S. wants open finance without chaos, the redo should be judged on three concrete outcomes:
1) Ban the bad, standardize the good. Make screen scraping a last resort with a sunset, and endorse tokenized, OAuth-based APIs with mandatory scopes and data minimization. This is essentially where the 2024 rule was pointing; the revision should finish the job and turn “discouraged” into “decommissioned.”
2) Set a fair economics model. Recognize reasonable, cost-based API fees for high-assurance delivery and monitoring, paired with obligations to provide baseline, non-discriminatory access when a consumer consents. That aligns incentives while preventing gatekeeping via pricing.
3) Create an accountability backbone. The U.S. doesn’t need a U.K.-style “Future Entity,” but it does need a designated steward for API performance metrics, security profiles, and dispute resolution. The Bureau can recognize industry standards (FDX, OAuth profiles) and require public reporting on uptime, error rates, and consent revocation flows. That would pull the market toward utility-grade reliability without heavy-handed centralization.
The bottom line
Right now, data portability and open finance in the U.S. is real but precarious. Consumers can connect apps, but access depends on private deals, bank discretion, and an unsettled rulebook. Europe and the U.K. are pushing ahead with mandated frameworks, PSD3/PSR and FiDA on the Continent, a Future Entity in Britain, to make data sharing routine and enforceable. In the U.S., by contrast, the next year will determine whether the consumer’s right to share their data is a principle with power—or an ideal that can be priced and throttled in practice.
One signal to watch: even amid turmoil, adoption keeps climbing. The FDX API is already used by tens of millions of accounts, and the CFPB counts 100+ million Americans who have authorized a data connection. The market wants portability. The question is whether policy and pricing will finally align to deliver it, without gatekeepers at the switch.